windows update broke my tpm disk decryption
In a previous post, I set up an encrypted drive on my laptop that will automatically decrypt using keys stored in the TPM of that laptop.
This has been mostly working great for 8 months!! However, this is a dual boot machine, and a couple of times it has randomly broken after booting into Windows. Presumably this is due to Windows update changing some certificates in the secure boot chain.
If this happens, the TPM keys need to be re-enrolled. The easiest way to do that is:
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+12+14 --wipe-slot=tpm2 <encrypted device>
--tpm2-pcrs
should be set to whatever PCR slots you initially set up. You can find that by runningsudo cryptsetup luksDump <encrypted device> | grep tpm2-hash-pcrs
.--wipe-slot=tpm2
will wipe the old enrollment, which should no longer be needed. It's optional, so you can remove it if you want to keep the old one for some reason.
If you post a reply on another blog or social media, or just want to chat, email me! christopher@cg505.com